Dynamic chain of service functions for processing network traffic

ABSTRACT

The technology disclosed herein enables a dynamic chain of service functions for processing network traffic. In a particular embodiment, a method includes, in a logical router for a logical network connecting service functions, receiving a network packet from a service function over the logical network after the network packet has been processed by the service function. The method further includes determining a new classification of the network packet and determining a next service function based on application of a service chain policy to the new classification. The method also includes directing the network packet to the next service function over the logical network.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/593,516, entitled “A DYNAMIC CHAIN OF SERVICE FUNCTIONS FORPROCESSING NETWORK TRAFFIC IN A VIRTUAL COMPUTING ENVIRONMENT,” filedMay 12, 2017, which is hereby incorporated by reference in its entirety.

TECHNICAL BACKGROUND

Traditionally, computer network traffic from a source to a destinationmay be processed by service functions implemented by distinct physicaldevices on a communication network. The physical service functions mayinclude a network firewall, load balancer, antivirus, intrusiondetection, media optimization, or any other type of function that may bedesired for network traffic between a source and a destination. Servicefunctions that process the network traffic in sequence form what iscalled a service chain. Given that the physical devices of these servicefunctions are connected through traditional network equipment (e.g.,routers, switches, etc.), or directly to one another in series, thesequence that network traffic is processed in a service chain isrelatively static. That is, either the service functions themselves, orthe link sequence between them, must be modified to make changes to theservice chain.

Virtualization of service functions (e.g., as virtual machines,containers, containers in virtual machine, unikernel, etc.) has allowedfor additional flexibility when implementing the service functions. Thisis a baseline essential need when new solutions like Network FunctionVirtualization (NFV) is introduced. However, the static nature of theservice chain predominantly remains unless additional network topologyintelligence is added to the virtualized environment. For instance, aservice chain topology overlay may be created on top of the networkvirtualization overlay in the network environment, or a new networkheader may be added to network packets, to provide better control overthe service chain or existing packet processing headers (say VLAN-ID)may be manipulated to provide the desired service. All of these optionsrequire additional network topology overhead from what would otherwisebe needed, as they add control plane, data plane, and Operations,Administration and Management (OAM) requirements.

SUMMARY

The technology disclosed herein enables a dynamic chain of servicefunctions for processing network traffic. In a particular embodiment, amethod includes, in a logical router for a logical network connectingservice functions, receiving a network packet from a service functionover the logical network after the network packet has been processed bythe service function. The method further includes determining a newclassification of the network packet and determining a next servicefunction based on application of a service chain policy to the newclassification. The method also includes directing the network packet tothe next service function over the logical network.

In some examples, the method includes, after the network packet has beenprocessed by the next service function and before the logical routerpasses the network packet to a second next service function, determiningthe second next service function based on application of the servicechain policy to the new classification. The method further includesdirecting the network packet from the logical router to the second nextservice function.

In some examples, determining the new classification includes processingthe network packet to identify information about the network packet. Theinformation indicates the new classification. In those examples, theinformation may include an Ethernet encapsulation of the network packetby the one service function or data contained in a header of the networkpacket. Also, in those examples, processing the network packet mayinclude performing deep packet inspection (DPI) on the network packet toobtain the information.

In some examples, the method includes determining an initialclassification of the network packet, determining the service functionbased on application of the service chain policy to the initialclassification, and directing the network packet to the service functionover the logical network.

In some examples, determining the initial classification includesclassifying the network packet based on a source of the network packet.

In some examples, the method includes receiving an update for theservice chain policy in the logical router. The update for the servicechain policy indicates a different next service function than the nextservice function for subsequent network packets having the newclassification.

In some examples, the logical router comprises a distributed logicalrouter executing on one or more host computing systems.

In another example, an apparatus is provided having one or more hostcomputing systems configured to implement a logical router for a logicalnetwork connecting service functions. The logical router is configuredto receive a network packet from a service function over the logicalnetwork after the network packet has been processed by the servicefunction. The logical router is further configured to determine a newclassification of the network packet; and determine a next servicefunction based on application of a service chain policy to the newclassification. The logical router is also configured to direct thenetwork packet to the next service function over the logical network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a computing environment for processing networktraffic using a dynamic chain of service functions.

FIG. 2 illustrates a method of operating the computing environment toprocess network traffic using a dynamic chain of service functions.

FIG. 3 illustrates an operational scenario of the computing environmentto process network traffic using a dynamic chain of service functionsaccording to one implementation.

FIG. 4 illustrates another computing environment for processing networktraffic using a dynamic chain of service functions.

FIG. 5 illustrates a logical arrangement of the other computingenvironment to process network traffic using a dynamic chain of servicefunctions.

FIG. 6 illustrates an operational scenario of the other computingenvironment to process network traffic using a dynamic chain of servicefunctions according to one implementation.

FIG. 7 illustrates a service chain policy for the operational scenarioof the other computing environment to process network traffic accordingto one implementation.

FIG. 8 illustrates an operational scenario for implementing the servicechain policy to process network traffic according to one implementation.

DETAILED DESCRIPTION

To allow a service chain to be implemented dynamically in a virtualcomputing environment without the addition of a service topology networklayer, the technology herein leverages the network infrastructure of avirtual computing environment. Specifically, virtual computingenvironments include virtualization software elements executing onphysical host computing systems that in turn hosts virtual computingelements. For example, a hypervisor is a virtualization software elementthat executes on a host computing system and provides a platform onwhich one or more virtual machines execute to share the hardwareresources of the host computing system. Another example of a virtualcomputing element is a system-level operating system that supportsmultiple namespace containers, such as Docker® containers, which arevirtualization elements that can connect to a network with their ownunique IP and MAC addresses distinct from other containers executing onthe same host. The virtualization software elements are further used toenhance the network infrastructure connecting the virtual computingelements supported thereby. A virtualization software element is aptlypositioned to operate on those communications since all communicationsexchanged with a virtual computing element will pass through thevirtualization software element. The NSX® network virtualizationplatform from VMware® is an example of a logical overlay networkinfrastructure that allows virtual elements to communicate in isolatedsoftware-defined networks. Such logical overlay networks allow for adynamic service chain to be implemented without an additional networktopology layer and all the network overhead that comes with thatadditional layer.

FIG. 1 illustrates computing environment 100 for processing networktraffic using a dynamic chain of service functions. Computingenvironment 100 includes service function 101, service function 102,service function 103, virtual router 104, traffic source 105, andtraffic destination 106. Service functions 101-103, traffic source 105,and traffic destination 106 exchange network communication traffic viavirtual router 104 and logical communication links connected thereto.Virtual router 104, which may also be described as a logical router ordistributed logical router (DLR) communicates with service functions 101over logical overlay network links, e.g., using an encapsulationprotocol such as VXLAN or NVGRE, which are both well-known standardnetwork overlay tunneling protocols that are well known in the field oflogical overlay networking. The logical communication links may beimplemented over one or more physical communication links as well asintervening networks, systems, and devices (e.g., routers, switches,etc.). Service functions 101-103 are executing as or within respectivevirtual computing elements on one or more host computing systems 121.Virtual router 104 is also executing on host computing systems 121 aspart of a virtual network infrastructure for the virtual computingelements. Traffic source 105 and traffic destination 106 may eachcomprise a computer system/device, a network, a network domain orsubdomain, or some other location from/to which data packets may enterand exit virtual router 104. It should be understood that traffic source105 and traffic destination 106 may be, but need not be, the origin ofthe data packets or the final destination of the data packets. Likewise,while traffic source 105 and traffic destination 106 are shown outsideof host computing systems 121, traffic source 105 and/or trafficdestination 106 may also be implemented as virtual computing elements onhost computing systems 121.

In operation, service functions 101-103 comprise possible servicefunctions that make up a service chain and may include a virtual networkfirewall, load balancer, antivirus scanner, intrusion detector, mediaoptimizer, or any other type of function for processing network traffic.Service functions 101-103 operate on whatever network traffic is sent tothem regardless of where each service function falls in the sequence ofa service chain for the network traffic. In some cases, one or more ofservice functions 101-103 may be even be excluded from the servicechain. Accordingly, as will be explained in more detail below, virtualrouter 104 can dynamically change the sequence of service functions101-103 in a service chain without affecting the operation of theindividual service functions based on metadata information.

FIG. 2 illustrates method 200 of operating computing environment 100 toprocess network traffic using a dynamic chain of service functions. Inmethod 200, virtual router 104 is provided with a service chain policy(201). The service chain policy is used by virtual router 104 after eachhop (i.e., service function) of a service chain to determine wherenetwork traffic should be directed at the next hop. The service chainpolicy indicates a sequence of service functions 101-103 to usedepending on how network traffic is classified. Network traffic may beclassified based on a source of the network traffic, a destination towhich the network traffic is directed, the type of communicationscarried by the network traffic (e.g., protocol type, media type, etc.),the amount of network traffic, or any other way in which data trafficcan be distinguished—including combinations thereof. The service chainpolicy may be provided by a controller of virtual router 104, may beprovided by user input to virtual router 104 either directly or throughthe controller, may be generated automatically based on historicalservice chain application to network traffic, may be provided to virtualrouter 104 by a service orchestration platform (or some other externalsystem), or may be obtained by virtual router 104 in some other manner.Additionally, virtual router 104 may be provided with subsequent updatesto the service chain policy.

Method 200 further provides virtual router 104 determining an initialclassification of a network packet entering the dynamic service chainfrom traffic source 105 (step 202). The initial classification indicatesat least a first service function of service functions 101-103 in asequence of the service chain. That is, virtual router 104 may apply theservice chain policy to the initial classification to determine which ofservice functions 101-103 the network packet should be directed tofirst. It should be understood that, while method 200 is described withrespect to a single packet, the single packet may be one of many packetsto which method 200 is applied. Virtual router 104 may itself assign theinitial classification to the network packet or may determine theinitial classification of the network packet as assigned by some othersystem, such as a gateway positioned between traffic source 105 andvirtual router 104. When classified by another system, the initialclassification may be transferred to virtual router 104 along with thenetwork packet (e.g., piggybacked with the network packet). The initialclassification may be something that can be gleaned from the networkpacket's header information, such as the network packet being fromtraffic source 105 and being directed to traffic destination 106. Theservice chain policy may therefore indicate that packets between trafficsource 105 and traffic source 105 should first be directed to aparticular service function. The initial classification may also, orinstead, be based on other information from the network packet'spayload, such as the type of data the network packet is carrying, aprotocol used by the data in the network packet, or some manner in whichthe data carried by the network packet may be distinguished—includingcombinations thereof. Virtual router 104 may therefore be able toclassify network packet traffic up to Level 7 (L7), which typicallyrequires Deep Packet Inspection (DPI). In some cases, the virtualnetwork infrastructure may be configured to classify network packets forother purposes and, therefore, would not required additionalcapabilities to perform the classification for virtual router 104.

After the network packet has been processed by a service function in thesequence of the service chain and before virtual router 104 passes thenetwork packet to the next service function in the sequence, method 200provides virtual router 104 applying the service chain policy to thenetwork packet to determine the next service function in the sequence(203). In other words, virtual router 104 ability to reapply the servicechain policy at each hop of the network packet, so the sequence of theservice chain can be changed even in mid sequence. In some cases,virtual router 104 may first determine whether to reclassify the networkpacket. The reclassification may be performed in a manner similar tothat described above for the initial classification. If the networkpacket's classification remains the same, then virtual router 104 willapply the service chain policy to determine the next hop under the sameclassification as the previous hop. Otherwise, if the network packet'sclassification changes, then virtual router 104 will apply the servicechain policy to determine the next hop under that newly changedclassification.

Regardless of the classification used to determine the next servicefunction hop, once that next service function has been determined,method 200 provides virtual router 104 directing the network packet tothe next service function (204). Steps 203 and 204 repeat until theservice chain policy indicates that no more service functions remain inthe service chain and the network packet is passed to trafficdestination 106. However, it should be understood that some servicefunctions, such as a network firewall function, may themselves prevent anetwork packet from being passed onto the next service function bystopping the network packet before the network packet is passed back tovirtual router 104.

FIG. 3 illustrates operational scenario 300 of computing environment 100to process network traffic using a dynamic chain of service functionsaccording to one implementation. Scenario 300 is an example of howmethod 200 may be applied to network packet 301 that ends up beingprocessed by two service functions in a service chain before beingpassed to traffic destination 106. Network packet 301 is first receivedinto virtual router 104 at step 1 where virtual router 104 determines afirst service function of service functions 101-103 to process networkpacket 301 based what the service chain policy indicates regardingnetwork packet 301's initial classification. In this case, servicefunction 102 is determined to be the first service function in thesequence that is the service chain for network packet 301. Servicefunction 102 receives network packet 301 and processes network packet301 at step 2 before passing network packet 301 back to virtual router104.

Upon receiving network packet 301 from service function 102, virtualrouter 104 again determines at step 3 which of service functions 101-103should next process network packet 301. In all likelihood, servicefunction 102 would not process network packet 301 again but there mayexist a situation where the service chain policy indicates that itshould. Nevertheless, in this example, virtual router 104 determinesthat the next hop for network packet 301 should be service function 101.Service function 101 may be indicated as the next hop by the servicechain policy still based on the initial classification of network packet301 or network packet 301 may be reclassified by virtual router 104during step 3. In some cases, if network packet 301 is reclassified, thereclassification may be due to the processing performed by servicefunction 102 that modified network packet 301 in some way. Servicefunction 101 receives network packet 301 and processes network packet301 at step 4 before passing network packet 301 back to virtual router104.

Upon receiving network packet 301 from service function 101, virtualrouter 104 again determines a next hop of network packet 301 at step 5.As was the case at step 3, virtual router 104 may reclassify networkpacket 301 before applying the service chain policy to that newclassification. In this case, virtual router 104 determines that no moreservice functions are needed in the service chain and passed networkpacket 301 to traffic destination 106. While service function 103 wasnot involved in the service chain of scenario 300, it should beunderstood that other network packets, based on their characteristicsaccording to the service chain policy, may be routed through servicefunction 103 in addition to service function 102 and service function101 or may replace one or both of service function 101 and servicefunction 102 in the service chain. Thus, the service chain policydictates which service functions are in the service chain for aparticular network packet and which order those service functions fallin the sequence of the service chain.

FIG. 4 illustrates computing environment 400 for processing networktraffic using a dynamic chain of service functions. Computingenvironment 400 includes host computing system 421, host computingsystem 431, communication gateway 441, source communication network 451,and destination communication network 452. Communication networks 451and 452 may include the Internet, a private micro data center, a mobileedge computing node, one or more local area networks, and/or one or morewide area networks. It should be understood that using communicationnetworks as the source and destination is merely exemplary and that thesource and destination could be other types of systems, includingvirtualized workloads on host computing systems.

In this example, host computing system 421 executes hypervisor 423 toallocate physical computing resources 422 among service function virtualmachines 401-404. Likewise, host computing system 431 executeshypervisor 433 to allocate physical computing resources 432 amongservice function virtual machines 405-407 and control virtual machine408. Physical computing resources 422 and 432 may include processingresources (e.g., processing circuitry, CPU time/cores, etc.), memoryspace (e.g., random access memory, hard disk drive(s), flash memory,etc.), network interfaces, user interfaces, or any other type ofresource that a physical computing system may include. Hypervisor 423and hypervisor 433 each include an instance of distributed logicalrouter (DLR) 409, which is part of the virtual network infrastructurethat connects virtual machines executing on host computing system 421and host computing system 431.

It should be understood that the distribution of virtual machines evenlyacross two host computing systems, as shown in FIG. 4 , is merelyexemplary. The eight virtual machines shown may instead be implementedon any number of host computing systems from one to eight. Likewise,host computing systems 321 and 331 could host additional hosts andvirtual machines and/or other virtual elements that are not involved inthis example.

FIG. 5 illustrates a logical arrangement 500 of computing environment400 to process network traffic using a dynamic chain of servicefunctions. As shown by logical arrangement 500, the separate instancesof DLR 409 on host computing system 421 and host computing system 431operate to form a singular logical router between service function VMs401-407 and gateway 441. Control VM 408 is not part of the data planethrough which service function VMs 401-407 and gateway 441 exchangenetwork traffic but, instead, controls at least DLR 409 via a controlplane in the virtual environment that includes service function VMs401-407 and DLR 409. Gateway 441 is configured to pass network trafficinto and out of the virtual environment. Additional gateways may bepresent in other examples. Likewise, while gateway 441 is shown onlyconnected to source communication network 451 and destinationcommunication network 452, gateway 441 may be connected to othercommunication networks not shown.

FIG. 6 illustrates operational scenario 600 of computing environment 400to process network traffic using a dynamic chain of service functionsaccording to one implementation. In scenario 600, control VM 408provides service chain policy 700 to DLR 409 over the virtualenvironment's control plane at step 1. After this initial provision ofservice chain policy 700 to DLR 409, service chain policy 700 may beupdated at times in the future by control VM 408 providing such updatesto DLR 409. Service chain policy 700 may have been provided to controlVM 408 by a user (e.g., administrator) of computing environment 400 ormay have been generated by control VM 408 automatically with or withoutinput from a user. Once DLR 409 has been provided with service chainpolicy 700, DLR 409 can begin routing traffic to service function VMs401-407 based on service chain policy 700.

In this example, at step 2, network packet traffic is received atgateway 441 from source communication network 451. It should beunderstood that the use of gateway 441 in this embodiment is merelyexemplary. Other examples, may use other elements to provide the initialclassification, such as customer premises equipment in sourcecommunication network 451 or in DLR 409 itself. Upon receiving thenetwork traffic, gateway 441 classifies the network traffic to assign aninitial classification to the network traffic. Since gateway 441 in thisexample is not capable of DPI type classifications, the initialclassification is based on what gateway 441 can determine from L3information in the network traffic. For instance, gateway 441 may simplyrecognize that the network traffic was received from sourcecommunication network 451 and is directed to destination communicationnetwork 452. In other examples, gateway 441 may determine an L3 protocolbeing used by the network traffic and use that to determine the initialclassification (e.g., classified as video call packets from sourcecommunication network 451).

After classifying the network traffic, gateway 441 passes the networktraffic onto DLR 409 at step 4. The initial classification of thenetwork traffic may be passed to DLR 409 in a packet that piggybacks onthe network traffic in one example. In other examples, gateway 441 mayensure that the information used by gateway 441 to determine the initialclassification of the network traffic is maintained when transferred toDLR 409 so that DLR 409 can make a like determination. In yet otherexamples, gateway 441 may tag traffic using Virtual Local Area Network(VLAN) tagging, or some other form of network traffic tagging, toindicate the initial classification. In these examples, gateway 441 mayencapsulate the network traffic using with a certain VLAN tag valuedepending on the initial classification and DLR 409 recognizes thoseVLAN tag values for classification purposes rather than VLAN routing.Other manners of providing the initial classification to DLR 409, suchas including information in metadata, may also be used. Once the networktraffic is received by DLR 409, DLR 409 determines what gateway 441determined to be the initial classification of the network traffic sothat DLR 409 can being to follow service chain policy 700 with respectto service chain policy 700 at step 5.

FIG. 7 illustrates service chain policy 700 for scenario 600 to processnetwork traffic according to one implementation. In particular, FIG. 7provides a flowchart representation of service chain policy 700 tobetter understand how DLR 409 follows service chain policy 700 at step 5of scenario 600. Thus, service chain policy 700 focuses on networktraffic having the initial classification of the network traffic inscenario 600. Although, it should be understood that service chainpolicy 700 may include other not-shown possible service chains for otherpossible classifications. Likewise, other possible classifications maybe handled by different service chain policies also provided to DLR 409.

In this example, the initial classification is that the network trafficincludes packets from source communication network 451 directed todestination communication network 452. Service chain policy 700indicates that traffic of that type be first processed by servicefunction VM 403, so DLR 409 passes the network traffic to servicefunction VM 403 accordingly. Service function VM 403, upon completion ofits processing of the network traffic, will pass the network trafficback to DLR 409. DLR 409 then references service chain policy 700 todetermine where the network traffic exiting service function VM 403should be sent next. In this case, service chain policy 700 indicatesthat the network traffic from service function VM 403 should be sent toservice function VM 401. Thus, DLR 409 passes the network traffic toservice function VM 401, which processes the network traffic beforepassing the network traffic back to DLR 409.

Upon receiving the network traffic from service function VM 401, servicechain policy 700 indicates to DLR 409 that DLR 409 should determinewhether the network traffic includes characteristic X. Havingcharacteristic X diverts network traffic to service function VM 404. Incontrast, not having characteristic X indicates that the network trafficshould be passed to service function VM 402. For example, characteristicX may comprise a characteristic that indicates the network trafficrequires a more thorough antivirus scan than would otherwise be used.Thus, service chain policy 700 directs the network traffic to a branchof the service chain where a service function VM will perform the morethorough antivirus scan. In another example, characteristic X mayindicate that the network traffic contains sensitive information thatshould include a level of encryption provided by a certain servicefunction VM.

Characteristic X may be any characteristic of the network traffic thatmay be identified at L2 up to L7, such as a type of data carried by thetraffic, an application that generated the traffic, informationdetermined while a service function VM was processing the traffic, atime in which the traffic was received, or any other information thatcould describe the traffic or its contents. As such, depending on thecharacteristic, DLR 409 may need to use DPI capabilities to identify thecharacteristic from the network traffic. In some cases, characteristic Xmay be indicated to DLR 409 by the service function VM that justprocessed the network traffic. Such an indication may be provided in amanner similar to the tagging example from above, by passing metadataassociated with the network traffic to DLR 409, by encapsulating thenetwork traffic, or in some other manner. Also, while this examplediscusses a single characteristic X, multiple characteristics may beused determine which service function VM should next receive the networktraffic. Likewise, while service chain policy 700 in this example onlyillustrates one point in the service chain where network traffic may goto one service function or another, other examples may provide multiplesuch options at other points in the service chain, including after everyservice function VM processes the network traffic. Furthermore, whileservice chain policy 700 shows only two possible options whendetermining characteristic X, additional options may exist in otherexamples depending on characteristics of the network traffic.

Regardless of what characteristic X indicates, for the purposes of thisexample, the network traffic is found by DLR 409 to includecharacteristic X. DLR 409, therefore, next passes the network traffic toservice function VM 404 for processing instead of service function VM402. Upon receiving the processed network traffic from service functionVM 404, DLR 409 then references service chain policy 700 to determinethat the network traffic should next be passed to 405 for processing.Similarly, upon receiving the processed network traffic from servicefunction VM 405, DLR 409 then references service chain policy 700 todetermine that the network traffic should next be passed to servicefunction VM 407.

No service function VMs remain after service function VM 407 in servicechain policy 700. Therefore, once DLR 409 receives the network trafficafter being processed by service function VM 407, DLR 409 determinesthat the service chain has ended for the network traffic after havingbeen processed by service function VMs 403, 401, 404, 404, 405, and 407.The network traffic can then be directed on its way to destinationcommunication network 452.

Referring back to scenario 600, DLR 409 passes the network traffic backto gateway 441 at step 6 after the traffic was processed by the servicefunction VMs in accordance with service chain policy 700. Gateway 441responsively forwards that processed network traffic on to destinationcommunication network 452 at step 7. It should be understood that thenetwork traffic all need not complete each step before moving on to thenext step, or service function at step 5. That is, packets of thenetwork traffic may still be passing through a previous stage whileother packets of the same network traffic are passing through asubsequent stage.

FIG. 8 illustrates an operational scenario 800 for implementing theservice chain policy to process network traffic according to oneimplementation. This example focuses on one possible way in which DLR409 may determine whether the network traffic has characteristic X whenusing service chain policy 700 to determine whether the network trafficshould be passed to service function VM 402 or service function VM 404.In this case, service function VM 401, from which DLR 409 last receivesprocessed network traffic, provides a hint of sorts to DLR 409indicating characteristic X to DLR 409. Specifically, the hint isprovided to DLR 409 by way of an Ethernet encapsulation of the networktraffic. A similar technique could also be used by gateway 441 whenproviding the initial classification of the packet traffic in the aboveexample. While this example uses the hint to indicate characteristic X,in other examples the hint may be used to indicate to DLR 409 that thetraffic should be reclassified, which may cause the traffic to beprocessed by a service chain policy other than service chain policy 700.

Scenario 800 begins as data packet 801, which is a packet of the networktraffic discussed above, is passed to service function VM 401 forprocessing. At step 1, service function VM 401 processes data packet 801as part of the network traffic. While in the examples above it is notedthat the service function VMs do not need to be modified in theiroperation for DLR 409 to dynamically select service function VMs for theservice chain, service function VM 401 is configured to encapsulatetraffic that should be processed by the service function VM 404 branchof the service chain. Thus, since data packet 801 is determined towarrant the service function VM 404 branch, likely along with the otherdata packets of the network traffic, service function VM 401encapsulates data packet 801 into packet encapsulation 802 beforetransferring packet encapsulation 802 to DLR 409. Packet encapsulation802 may be an Ethernet encapsulation, such as dot1q or dot1ad, althoughother types of packet encapsulation may also be used. In this example,the mere fact that data packet 801 is encapsulated constitutes the hint,however, the hint in some examples may include metadata with moreexplicit information about data packet 801.

Upon receiving packet encapsulation 802, DLR 409 recognizes theencapsulation and determines at step 2 that data packet 801 hascharacteristic X, which causes DLR 409 to reclassify data packet 801. Insome examples, though not necessarily relevant to this example,different types of encapsulation may indicate different characteristicsto DLR 409. After reclassification, DLR 409 passes data packet 801 toservice function VM 404 in accordance with service chain policy 700.Before being passed to service function VM 404, DLR 409 may strip datapacket 801 of packet encapsulation 802 or may send data packet 801 withpacket encapsulation 802 intact. It should be understood that othermanners of hinting characteristics of network traffic to DLR 409 mayalso be used.

The descriptions and figures included herein depict specificimplementations of the claimed invention(s). For the purpose of teachinginventive principles, some conventional aspects have been simplified oromitted. In addition, some variations from these implementations may beappreciated that fall within the scope of the invention. It may also beappreciated that the features described above can be combined in variousways to form multiple implementations. As a result, the invention is notlimited to the specific implementations described above, but only by theclaims and their equivalents.

What is claimed is:
 1. A method comprising: in a logical router for alogical network connecting service functions: receiving a network packetfrom a service function over the logical network after the networkpacket has been processed by the service function; determining a newclassification of the network packet; and determining a next servicefunction based on application of a service chain policy to the newclassification; and directing the network packet to the next servicefunction over the logical network.
 2. The method of claim 1, comprising:after the network packet has been processed by the next service functionand before the logical router passes the network packet to a second nextservice function, determining the second next service function based onapplication of the service chain policy to the new classification; anddirecting the network packet from the logical router to the second nextservice function.
 3. The method of claim 1, wherein determining the newclassification comprises: processing the network packet to identifyinformation about the network packet, wherein the information indicatesthe new classification.
 4. The method of claim 3, wherein theinformation comprises an Ethernet encapsulation of the network packet bythe one service function.
 5. The method of claim 3, wherein theinformation comprises data contained in a header of the network packet.6. The method of claim 3, wherein processing the network packetcomprises: performing deep packet inspection (DPI) on the network packetto obtain the information.
 7. The method of claim 1, comprising:determining an initial classification of the network packet; determiningthe service function based on application of the service chain policy tothe initial classification; and directing the network packet to theservice function over the logical network.
 8. The method of claim 7,wherein determining the initial classification comprises: classifyingthe network packet based on a source of the network packet.
 9. Themethod of claim 1, comprising: receiving an update for the service chainpolicy in the logical router, wherein the update for the service chainpolicy indicates a different next service function than the next servicefunction for subsequent network packets having the new classification.10. The method of claim 1, wherein the logical router comprises adistributed logical router executing on one or more host computingsystems.
 11. An apparatus comprising: one or more physical hostcomputing systems configured to implement a logical router for a logicalnetwork connecting service functions; the logical router configured to:receive a network packet from a service function over the logicalnetwork after the network packet has been processed by the servicefunction; determine a new classification of the network packet; anddetermine a next service function based on application of a servicechain policy to the new classification; and direct the network packet tothe next service function over the logical network.
 12. The apparatus ofclaim 11, wherein the logical router is configured to: after the networkpacket has been processed by the next service function and before thelogical router passes the network packet to a second next servicefunction, determine the second next service function based onapplication of the service chain policy to the new classification; anddirect the network packet from the logical router to the second nextservice function.
 13. The apparatus of claim 11, wherein to determinethe new classification, the logical router is configured to: process thenetwork packet to identify information about the network packet, whereinthe information indicates the new classification.
 14. The apparatus ofclaim 13, wherein the information comprises an Ethernet encapsulation ofthe network packet by the one service function.
 15. The apparatus ofclaim 13, wherein the information comprises data contained in a headerof the network packet.
 16. The apparatus of claim 13, wherein to processthe network packet, the logical router is configured to: perform deeppacket inspection (DPI) on the network packet to obtain the information.17. The apparatus of claim 11, wherein the logical router is configuredto: determine an initial classification of the network packet; determinethe service function based on application of the service chain policy tothe initial classification; and direct the network packet to the servicefunction over the logical network.
 18. The apparatus of claim 17,wherein to determine the initial classification, the logical router isconfigured to: classify the network packet based on a source of thenetwork packet.
 19. The apparatus of claim 11, wherein the logicalrouter is configured to: receive an update for the service chain policyin the logical router, wherein the update for the service chain policyindicates a different next service function than the next servicefunction for subsequent network packets having the new classification.20. The apparatus of claim 11, wherein the logical router comprises adistributed logical router executing on the one or more host computingsystems.